// -*- IDL -*-
// File: SSLIOP.idl
// Part of the Security Service with additions from the Firewall
// specification.

#ifndef _SSLIOP_IDL
#define _SSLIOP_IDL

#include "tao/IOP.pidl"
#include "Security.idl"
// #include <Firewall.idl>

#pragma prefix "omg.org"

module SSLIOP {

  /// Security mechanism SSL
  const IOP::ComponentId        TAG_SSL_SEC_TRANS = 20;

  struct SSL {
    Security::AssociationOptions    target_supports;
    Security::AssociationOptions    target_requires;
    unsigned short        _port;
  };

  // const Firewall::IdTag TAG_ID_SSL_CERT = xx;  // OMG allocated

  /// A DER encoded X.509 certificate.
  typedef sequence<octet> ASN_1_Cert;

  /// A chain of DER encoded X.509 certificates.  The chain is actually
  /// a sequence, according CORBA CDR encapsulation rules.
  /// The sender's certificate is first, followed by any Certificate
  /// Authority certificates proceeding sequentially upward.
  typedef sequence<ASN_1_Cert> SSL_Cert;

  /// The following are TAO extensions.
# pragma prefix "ssliop.tao"
  /// The SSLIOP::Current interface provides methods to gain access to
  /// the SSL session state for the current execution context.
  local interface Current : CORBA::Current {


    /// Exception that indicates a SSLIOP::Current operation was
    /// invoked outside of an SSL session.
    exception NoContext {};

    /// Return the peer certificate associated with the current
    /// request.
    ASN_1_Cert get_peer_certificate () raises (NoContext);

    /// Return the certificate chain associated with the current
    /// execution context.  If no SSL session is being used for the
    /// request or upcall, then the NoContext exception is raised.
    /**
     * On the client side, the chain does include the peer (server)
     * certficate.  However, the certificate chain on the server side
     * does NOT contain the peer (client) certificate.
     */
    SSL_Cert get_peer_certificate_chain () raises (NoContext);

    /// Returns true if the current execution context is not within a
    /// SSL session.  This method is mostly useful as an inexpensive
    /// means of determining whether or not SSL session state is
    /// available.
    boolean no_context ();
  };

  enum FileType {
    ASN1,
    PEM
  };

  struct File {
    FileType type;
    string filename;
    string password;   // Only needed for encrypted PEM files.
  };

  /// The AuthData structure is the SSLIOP-specific authentication
  /// data that will be passed to the
  /// SecurityLevel2::PrincipalAuthenticator::authenticate() method.
  /// Note that this TAO-specific.
  struct AuthData {
    File certificate;
    File key;
  };

# pragma prefix "omg.org"

};

#pragma prefix ""

#endif /* _SSLIOP_IDL */
